D.2.3 Authorization Protocols

Two authorization protocols are supported in this version of the OpenWindows
software: MIT-MAGIC-COOKIE-1 and SUN-DES-1.
They differ in the authorization data used; they are similar in the access
control mechanism used. At any time, the server implements only one protocol.
The MIT-MAGIC-COOKIE-1 protocol using the user-based mechanism
is the default in the OpenWindows software.

D.2.3.1 MIT-MAGIC-COOKIE-1

The MIT-MAGIC-COOKIE-1 authorization protocol was
developed by the Massachusetts Institute of Technology. At server start-up,
a magiccookie is created for the
server and the user who started the system. On every connection attempt,
the user's client sends the magic cookie to the server as part of the connection
packet. This magic cookie is compared with the servers' magic cookie. The
connection is allowed if the magic cookies match, or denied if they do not
match.

D.2.3.2 SUN-DES-1

The SUN-DES-1 authorization protocol, developed by
Sun Microsystems, is based on Secure RPC (Remote Procedure Call) and requires
DES (Data Encryption Software) support. The authorization information is
the machine-independent netname, or network name, of a user. This information
is encrypted and sent to the server as part of the connection packet. The
server decrypts the information, and if the netname is known, allows the connection.

This protocol provides a higher level of security than the MIT-MAGIC-COOKIE-1 protocol. There is no way for another user to
use your machine independent netname to access a server, but it is possible
for another user to use the magic cookie to access a server.

This protocol is available only in libraries in the OpenWindows Version
3 and later environments. Any applications built with static libraries, in
particular Xlib, in environments prior to OpenWindows Version 3 cannot use
this authorization protocol.

D.2.3.3 Changing the Default Authorization Protocol

The default authorization protocol, MIT-MAGIC-COOKIE-1,
can be changed to SUN_DES-1, the other supported authorization
protocol, or to no user-based access mechanism at all. You change the default
by supplying options with the openwin command. For example,
to change the default from MIT-MAGIC-COOKIE-1 to SUN-DES-1, start the OpenWindows software as follows:

example% openwin -auth sun-des

If you must run the OpenWindows software without the user-based access
mechanism, use the -noauth command line option:

example% openwin -noauth

Caution -

Using -noauth weakens security. It is equivalent to
running the OpenWindows software with the host-based access control mechanism
only; the server inactivates the user-based access control mechanism. Anyone
that can run applications on your local machine will be allowed access to
your server.